Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 23:02

General

  • Target

    2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe

  • Size

    4.8MB

  • MD5

    3319874e23150bba7627d9e8246022c9

  • SHA1

    25a8993d1c9def294bd2392f9e5672a8f43a979e

  • SHA256

    02bb716f0204fcedfd4279730433ba7789f3dd5517cdadc274b3b3355741945d

  • SHA512

    292f5bc57597c9514d3b66c0bfba299e01873c9a604148c1f2c08acdb1706dcd8e3b1fdfc1543420114326e97d72973e42dacf0186e5aa0a6e2803b92888ed89

  • SSDEEP

    49152:D8DvYitEwcVbZ1tSWRa4NL1aMsGuIA5EdBzfZk96c9:YtefBNL1aZh3Edvk8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 48 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_3319874e23150bba7627d9e8246022c9_snatch.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Users\Admin\AppData\Local\Temp\go-memexec-102811933.exe
      C:\Users\Admin\AppData\Local\Temp\go-memexec-102811933.exe
      2⤵
      • Executes dropped EXE
      PID:3628
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4988
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4076
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3432
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1140
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4860
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4820
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1764
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2984
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1628
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4044
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3776
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:5020
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1372
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1092
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4892
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4544
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4884
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3432
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4944
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:464
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2984
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3416
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4952
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3736
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:756
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3960
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3732
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3696
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2156
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:5112
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:216
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:64
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4628
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:3488
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1040
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4992
    • C:\Windows\system32\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4852
    • C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq wireshark"
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\go-memexec-102811933.exe

    Filesize

    1.6MB

    MD5

    5efef6cc9cd24baeeed71c1107fc32df

    SHA1

    3cfc9764083154f682a38831c8229e3e29cbe3ef

    SHA256

    e61b8f44ab92cf0f9cb1101347967d31e1839979142a4114a7dd02aa237ba021

    SHA512

    cecd98f0e238d7387b44838251b795bb95e85ec8d35242fc24532ba21929759685205133923268bf8bc0e2ded37db7d88ecbe2b692d2be6f09c6d92a57d1fdac